Posted
by
Soulskill
on Friday August 13, 2010 @04:04PM
from the spicy-security dept.

Trailrunner7 writes "As applications have become more and more complex in recent years and Web browsers have evolved into operating systems unto themselves, the task of securing desktop environments has become increasingly difficult. And while there's been quite a bit of innovation on Windows security, advances in Unix security have been less common of late. But now, a group of researchers from Google and the University of Cambridge in England have developed a new sandboxing framework called Capsicum, designed specifically to provide better security capabilities on Unix and Unix-derived systems (PDF). Capsicum is the work of four researchers at Cambridge and the framework extends the POSIX API and introduces a number of new Unix primitives that are meant to isolate applications and users and handle rights delegation in a better way. The research, done by Robert N.M. Watson, Ben Laurie, Kris Kennaway and Jonathan Anderson, was supported by Google, and the researchers have added some of the new Capsicum features to a version of Google's Chromium browser in order to demonstrate the functionality."

I completely agree that POTUS is off his rocker with this latest linux distro and there is nothing wrong with the metric system! Now if you'll excuse me, I'm off to finish porting NES ROMS to a Timex watch running OpenBSD. Cue Apple fanboys in 3......2.......1......

While I can't decipher what this article is referring to in particular, Chromium is the base for Chrome. Think of it as the development platform. Everyone should be using Chromium instead of Chrome because Chromium doesn't have the built in usage tracking that Chrome has

The real problem is Chrome is not open source. It's a proprietary, binary blob that is based on open source. If Microsoft released a hypothetical browser based on Chromium, let's call it Crummium, it would be exactly the same thing, but without the Googly-woogly "trust us, we're not evil" claim attached.

This sentence is plain stupid. It's implying that people who use Windows' Chrome build don't use IE because it's closed source.

I wasn't implying that. I used Microsoft as an example of a company that wouldn't get a free pass for releasing an "open source" browser consisting of a proprietary binary based on an open source base.

And I am not implying that Chromium isn't a full browser. My only point is that Chrome is a proprietary, binary blob, and as such not open source. Whatever excuses Google might have for that is no better than any excuses Microsoft might put forth if they had released a similar browser. If you care about open source, then you should know that Chrome is not open source.

"Excuses" Microsoft has used in the past include "Open source is less secure because people can see the source."

If you care about open source, then you should know that Chrome is not open source.

Caring about open source doesn't mean I demand it for absolutely everything. The fact that Chrome is almost entirely based on Chromium tells me two things: First, that Chromium is there waiting for me if Chrome ever becomes a problem, and second, Chrome isn't likely to have anything particularly evil attached to it.

Which is the crux of the problem. I don't want or need google's tracking built in(among whatever else they have in it) even if I have the option to turn it off. Chromium works fine, Chromium Updater exists for updating it, and it works very well.

Why does it bother you that it's there, although you can turn it off? That's a bit like complaining that it has a back button, even if you never use back buttons -- do you actually need it to not be compiled in?

I mean, if you do, that's one of the perks of a source distro like Gentoo, but it seems like a waste to me.

If Microsoft released a hypothetical browser based on Chromium, let's call it Crummium, it would be exactly the same thing, but without the Googly-woogly "trust us, we're not evil" claim attached.

Given that Microsoft has a long track record of evil, and Google has a stated goal to not be evil, trusting them carries a bit more weight. And again, most of the browser is open -- how difficult is it to analyze what the rest is doing?

Now, consider the unfortunate alternative -- if Chromium was the only version, there'd be a scary process -- no matter how streamlined, it'd still have to present the user with scary legal warnings -- to get h.264 working, which, unfortunately, is needed for good HTML5 video

Given that Microsoft has a long track record of evil, and Google has a stated goal to not be evil, trusting them carries a bit more weight.

Actions speak louder than words. Microsoft's evil tends to revolve around vendor lock-in and unfairly stomping on their competitors. Google's evil revolves around Big Brother type information gathering. Trusting Google because of their motto is ridiculous.

And again, most of the browser is open -- how difficult is it to analyze what the rest is doing?

What are you proposing? To do a binary diff between the compiled open source version and Google version? Followed by disassembling and analyzing the diff, probably without debugging symbols? That would be a major pain in the ass, even if the two binaries w

Microsoft's evil also involves outright lies, and the concept of "FUD" was pretty much invented, I suspect, to describe Microsoft.

Google, by contrast... "Big Brother"? Have you read 1984? Google likes to gather information, yes -- and like Facebook and everyone else, they only gather information from people who willingly donate said information, or from information already in public spaces.

Unlike Facebook and everyone else, they have a track record of, in the very worst example I'm aware of (wireless snoopi

Yes I have. Obviously the current situation isn't like the brutal dictatorship in the book, but the information gathering is getting there. Not a camera in your home, but spying on all the sites you visit.

they only gather information from people who willingly donate said information, or from information already in public spaces.

"willingly" would be opt-in, instead of having to opt-out. How many web sites use Google Analytics? Google also owns DoubleClick.

by accident

There's nothing accidental about collecting all this information (ignoring the wireless case), which once collected, can be abused. If they get a National Security Letter they wi

How many of those websites jumped out of the Internet, grabbed your browser, and forced you to visit them? If you don't trust a website to not use Google, why would you trust that website with the same information?

If they get a National Security Letter they will have to comply with it.

They have publicly fought government requests for information.

If a rogue employee decides to misuse the data, it's done.

And how do you know what procedures they have in place to prevent this situation? This isn't Facebook, where that sort of thing actually happens.

It's completely Google's fault for requiring H.264. They could always fall back to another format.

How many of those websites jumped out of the Internet, grabbed your browser, and forced you to visit them?

And who actually consented to a massive, collusive information gathering program? People are just browsing normally for other reasons, not to be spied on. They have to go out of their way to avoid this spying. That's why it's opt-out, and not opt-in.

They have publicly fought government requests for information.

Very well, but they could always lose in such a suit.

And how do you know what procedures they have in place to prevent this situation? This isn't Facebook, where that sort of thing actually happens.

Whatever procedures they have in place, the possibility is there. And how do you know it doesn't actually happen at Google? How many years was Facebook around before you heard about data breaches? And what abo

You did, with every website you visited -- though I have to wonder where you get "collusive" from.

A huge number of 3rd party sites agree to give Google data on your browsing habits. People are just trying to live their lives normally -- the web is just part of the basic infrastructure. Web sites don't prominently display their data collection activities. Most people are not technical and don't understand stuff like Google Analytics. This is a massive, data sharing program without informed consent, and Google is the ring-leader.

Yes, they could, but I think it kills your "They are evil" argument. It certainly kills any comparison with Big Brother, when they actively fight the government.

They're evil for collecting all this information where it can be misused. The

Many have "privacy policies" -- how prominent would be prominent enough?

Most people are not technical

Yes, and whose fault is that? The information they would need is readily available. Alternatives exist.

Maybe I'm being insensitive here, but I'm really sick of the meme that otherwise intelligent people should immediately be assumed to be drooling morons as soon as they're confronted with a computer -- that they need to be protected from themselves. The entire antivirus market currently thrives on this assumption, when the single best w

Many have "privacy policies" -- how prominent would be prominent enough?

You have to visit the site before you can even read the privacy policy. And who wants to read a bunch of legalize just to browse the web?

Maybe I'm being insensitive here

Yes, you are. You think people should have to walk around wearing disguises instead of having a reasonable expectation of privacy. It's as if every business you visited in public decided to identify you and report your whereabouts to a central party. That's fucked up.

I'm really sick of the meme that otherwise intelligent people should immediately be assumed to be drooling morons as soon as they're confronted with a computer

I care about privacy, I'm technically literate, I avoid cookies, and browse with NoScript. However, even I

if you live in the USA, isn't it a bit of a problem that your chosen media codec solution involves deliberate lawbreaking?

It is -- so I call it civil disobedience.

Except it doesn't require lawbreaking. I have a copy of Windows 7, which includes an h.264 decoder. I have an nVidia video card, which includes a hardware h.264 decoder, and a Linux driver for it. Both of these are bought and paid for, including all licensing fees.

So, if Firefox just used what my OS already had available -- if it just hooked into GStreamer, DirectShow, CoreVideo, etc -- it would Just Work, and it would be entirely legal. They refuse to do this.

if you're going to do that, shouldn't you also be willing to undergo mass arrests and trials?

if you live in the USA, isn't it a bit of a problem that your chosen media codec solution involves deliberate lawbreaking?

It is -- so I call it civil disobedience.

Notwithstanding your comment about how you already have a patent license through other means, "civil disobedience" isn't the same as "doing it and not getting caught". In the original sense, "civil disobedience" means breaking the law in public, daring the police to arrest you / civil lawsuits to fly, and using the obvious injustice of the response to inflame the public against the bad law. DeCSS in your.signature is civil disobedience, downloading a gray-market codec from a non-US APT repository is mere

"civil disobedience" isn't the same as "doing it and not getting caught".

Oh, I agree...

In the original sense, "civil disobedience" means breaking the law in public, daring the police to arrest you / civil lawsuits to fly, and using the obvious injustice of the response to inflame the public against the bad law.

I suspect the public is too lazy for that to really work, but I'm also too lazy to make a huge public show of it. However, I make no secret about the fact that, for instance, I crack DVD copy protection, because my only other options are to boot Windows just to watch a DVD, or revert to an absurdly old version of Ubuntu that I got from Dell which (I think) came with legal copies of the relevant codecs and an approved player.

In other words, I'm not marching the capital steps with a movie playin

Realistically, you should be using Firefox anyways since Chrome doesn't support the hooks that NoScript needs to work, and NoScript is required(imho) for any power user(which everyone on Slashdot should be, or used to be).
As far as the rest, there are ways available to put native PDF/flash support in Chromium, support H264, and update. The benefits of open source

Which hooks would those be? In particular, if Adblock Plus can work, why can't NoScript?

NoScript is required(imho) for any power user(which everyone on Slashdot should be, or used to be).

No thanks, I'd much rather have a blacklist than a whitelist, for several reasons. One is that I like to be aware of the kind of crap each website is offering to the layman -- for example, I try to avoid websites that use Kontera and the like, rather than trying to make them tolerable.

Another is that when scripting is enabled, a site can progressively enhance itself to actually improve the experience. As I understand it,

Chromium is the open source version that Chrome, the proprietary browser, is built on. (Basically, they take Chromium, add codecs they can't legally include in Chromium, maybe a little branding, and release it as Chrome.)

The same is true of the OS -- the only reason it's "Chromium OS" is that the actual "Chrome OS" hasn't been released yet, because the community version isn't done yet.

It makes very little sense to sandbox the application. sandboxing should be delegated from the application to the OS. I note that mac OSX have this built into the OS, but only a few applications like xgrid actually use it. The good news is that apps don't need to be sandbox aware to be sandboxed after the fact. I saw on mac osxhints were someone wrote a sandbox config file for firefox that forces firefox to run with reduced privledges and disk access.

Ideally, yes, but modern OSes (excluding Chromium OS, maybe) don't always provide sufficient sandboxing, and they do it in different ways. This would be both additional security where it's needed (as well as ways for communicating in and out of the sandbox), and, hopefully, support for whatever native sandboxing options are available (it kind of needs those anyway -- Chrome already uses a chroot jail, I think).

we don't know if it doesn't include more stuff, like things that would be bad for privacy (but good for Google).

However, the fact that most of the code is open means we have a lot more insight into how it works, meaning if anyone wanted to reverse engineer it, it'd likely be a lot easier than, say, IE.

Also, if you look at the other things Google has released, very rarely do you find them using this pattern. It seems far more common that they either don't let you download anything, or they offer full source under a reasonable license. The "official story", boring as it is, makes sense.

They say that they have working code for FreeBSD release-8. It makes me wonder if there is some relationship between Capsicum and FBSD's jails, or if FBSD is just being used because it is an environment of interest with the security/sandboxing community right now.

Sounds like the permissions you specify for Android apps. That's all fine and dandy for a new platform and we all wish someone had bothered to require least privileges back in the day for our favorite OS, but they didn't. And if they had, it would have been too much work to program for anyway, so something else would have become our favorite OS. So now we have to port all our code to use a new scheme and that's far more work than anyone is willing to do. So we'll remain insecure. Case in point: selinux. Sou

I think he means that they have become application environments, giving access to all the fundamental services of the underlying operating systems, through their own API and security models, with their own set of bugs.

These are major and invasive changes to POSIX. No reasonable person would expect to be able to do things like change PID semantics or shared memory. Yes, it might solve the problem that they sought to solve. But I would be very surprised to see this meet with any large-scale deployment.
It's better to work with the system than to just arbitrarily decide Unix is wrong and rewrite it.

I presume that you didn't actually read the API man pages. The interface follows squarely in the footsteps of the Unix design philosophy. No PID semantics are being changed, either. They've introduced process descriptors which, among other things, allow you to poll for process exit. They allow you to attach restrictions to descriptors, presumably so that a broker could open resources (files, sockets), restrict the allowable operations, and then pass them to sandboxed applications over a domain socket. It's all quite simple and powerful and exactly what I would love to see incorporated into POSIX.

hese are major and invasive changes to POSIX. No reasonable person would expect to be able to do things like change PID semantics or shared memory.

I don't think that they are expecting people to wholeheartedly change the 30+ year old POSIX API and adopt their new developments. This is research, remember? These are students who are exploring new ways to improve security and address problems with the POSIX API. It's there, we can adopt what we want, and in the meantime, students learn examples of how to writ

An OS that has this functionality looks and acts exactly like a POSIX OS. It's up to the application program to call the appropriate APIs as necessary to properly sandbox things (and some parts of each app will potentially be sandboxed differently than other parts).

One of the researchers involved is Robert Watson who has heavily been involved in FreeBSD for many, many years. Knowing that he's doing this reassures me that this is well thought

Really? I am unaware of a (common) browser that is able to do much more than work with data...

Let's try to leave the the analogies used to educated luddites out of summaries intended for people that *KNOW* the difference between an OS and an application.

There are certainly many companies out there that want your OS to be nothing more than a web browser. That way they can sell software as a service. For things like Google Gmail, Google Calendar , Google Docs, etc. Microsoft is slowly moving in that direction as well. Its much more profitable to sell based on usage or per month, rather than selling you a perpetual license. Many businesses are moving towards the desktop being little more than a terminal with the applications actually running on a central

Given virtualization as a concept no longer ties an OS to hardware interaction, browsers that can provide an increasingly powerful application framework are not that much removed from being an operating system. Firefox is capable of everything the old 8bit OS's were capable of and more. That is, other than provide direct hardware access.

I know it's/. and all, but a little effort to read the paper would be nice. Or even, a stop at pretending SELinux is the solution to everything, because that was never its aim (or achievement).

5 Comparison of sandboxing technologies

We now compare Capsicum to existing sandbox mechanisms. Chromium provides an ideal context for this comparison, as it employs six sandboxing technologies (see Figure 12). Of these, the two are DAC-based, two MAC-based and two capability-based....

5.4 SELinux

Chromium’s MAC approach on Linux uses an SELinux Type Enforcement policy [12]. SELinux can be used for very fine-grained rights assignment, but in practice, broad rights are conferred because fine-grained Type Enforcement policies are difficult to write and maintain.The requirement that an administrator be involved indefining new policy and applying new types to the filesystem is a significant inflexibility: application policies cannot adapt dynamically, as system privilege is required to reformulate policy and relabel objects.

The Fedora reference policy for Chromium creates a single SELinux dynamic domain, chrome sandbox t, which is shared by all sandboxes, risking potential interference between sandboxes. This domain is assigned broad rights, such as the ability to read all files in/etc and access to the terminal device. These broad policies are easier to craft than fine-grained ones, reducing the impact of the dual-coding problem, but are much less effective, allowing leakage between sandboxes and broad access to resources outside of the sandbox.

In contrast, Capsicum eliminates dual-coding by combining security policy with code in the application. This approach has benefits and drawbacks: while bugs can’t arise due to potential inconsistency between policy and code, there is no longer an easily accessible specification of policy to which static analysis can be applied. This reinforces our belief that systems such as Type Enforcement and Capsicum are potentially complementary, serving differing niches in system security.

Normally I don't even bother to read ACs, let alone respond to them, but in your case I'll make an exception since you are actually trying to make a cogent point.

Security IS complex - that is why it is better to get it right in ONE place than getting it WRONG many places. Had the researchers put the effort into defining a meaningful set of security contexts within SELinux - contexts that could be used for the WHOLE SYSTEM - they could have not only secured the browser, but everything else. Instead, they took a Barbie-Doll "Security is HARD" approach, and only secured ONE application.

The faults raised in the paper were not with SELinux itself, but rather with a specific implementation of a security policy, created by one vendor, which USES the SELinux framework.

Personally, I'd rather see a set of security contexts and attributes:internet_tainted_file: this object (file) was created by a program which has accessed the Internet (more precisely, any network address not marked as trusted).sensitive-file: an object (file) that may NEVER be accessed by an internet-tainted-program (see below)

non-internet-program - a program has no need to open ports outside the local network or access internet_tainted files.internet-program: a program which MAY access the internet, but has not yet done so.sensitive-tainted-program: a program which has accessed a sensitive-file, and thus may NEVER access the Internet. An internet-program may transition to the sensitive-tainted-program state by accessing a sensitive-file object.internet-tainted-program: a program which has accessed the Internet, or accessed an internet_tainted_file.

That way, programs that have no need of frobbing the Internet (e.g. gedit) CANNOT access it. Programs that have touched sensitive files (e.g./etc/shadow) likewise can NEVER touch the 'Net. Programs that have touched the 'Net can NEVER access sensitive files.

That's just the tip of the iceberg - but getting a proper set of security contexts can not only protect the browser, but EVERY program on the system.

And that is why I raised this point: all Google is securing is their own stuff (and only to the extent a malicious exploit cannot work around their solution, which is code in the application), rather than contributing to the greater security of the whole system.

At the USENIX talk, the authors explained that one of the flaws in SELinux, not just Chromium's use of it, was the need to enumerate all sandbox domains statically in a policy file. The approach used in Chromium, and that you describe, allows different web sites to attack each other when rendered in the same browser, since they're not protected from each other. Capsicum allows applications such as Chromium to create as many sandboxes as they need dynamically. They also repeatedly said during the talk that c

What? There has? Do you mean the way it now asks me 'Are you sure you want to give this application a chance to destroy your computer? Y/N' and if I say 'No' I can't use the application?I mean, if I really want to run that application I have no choice but to click 'Yes' and then if it was a virus after all I'm screwed.What I'd want is a way to have more control over the program. Maybe put it in a sandbox and trick it into thinking it's got full privileges even though it's really sandboxed so it won't crash

What I'd want is a way to have more control over the program. Maybe put it in a sandbox and trick it into thinking it's got full privileges even though it's really sandboxed so it won't crash or maybe just set advanced settings for that specific application to disallow it from writing to specific registry/files/network/other process' memory.

Dammit, now I'm feeling bizarrely tempted to write a IE plugin that contains emacs. I have no idea why I'd want to do this; I don't even really like emacs. The idea is truly bizarrely compelling, though.